In the study of Machine Learning, the focus is on supervised and unsupervised learning. (We will not be considering deep learning in this article.) Supervised learning, and many aspects of unsupervised learning, require the known anomalies to be available to learn from and then predict anomalies in test data using the trained models and then fine tune them through techniques such as cross-validation. In cybersecurity, one is usually looking for an anomaly in the midst of a huge amount of normal traffic or behavior. Such a characteristic makes the anomaly detection a very difficult problem—like finding a needle in a haystack. Furthermore, it is unrealistic to expect that training with anomalous data points in one industry, say eCommerce, is applicable to another one such as a healthcare datacenter. Additionally, modern attacks are more sophisticated and they hide themselves among many false attacks to defeat threat detection systems. Such complexity makes identifying anomalous training data points for all target industries a huge uphill battle. Lack of or difficulties in obtaining training data points make unsupervised learning a necessity in the world of cyber defense.
Given that unsupervised learning is required for such environments, one has to think through its pitfalls, recognizing that the prediction of the anomalies does not increase false positives or compromise accuracy. Various measures are used to assess the confusion matrix for accuracy, sensitivity etc., such as the Matthews Correlation Coefficient, however, it is not easy to consistently get good measures from the matrix in practice, demonstrating that more than just Machine Learning is needed to get to the desired results. There are various approaches that one can take, but the end result has to be the actionable outcome from the algorithms with minimal noise. This is where AI comes into play.
In April 2016, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) demonstrated an artificial intelligence platform called AI2 that predicts cyber-attacks significantly better than existing systems by continuously incorporating input from human experts. The premise behind the finding is that it only needs an unsupervised suite of algorithms with feedback from expert security analysts to develop an AI-based algorithm that will detect the threats accurately. This too is a good approach, but these expert security analysts’ services come at a significant cost, both in terms of time and money.
Furthermore, many of the ML algorithms indicate the threats long after they have been introduced and have taken advantage of the vulnerability. For example, a clustering algorithm may detect a threat after analyzing a history of patterns and indicate that the anomaly that occurred has been introduced in the network or a subnet sometime back in history. These threat findings are useful once you deploy an army of security ops staff to then hone in on the root cause for the anomaly and then address it. This sounds well and good, but the anomaly may already have spread by the time the security ops staff identify the root cause, requiring much wider investigation with increasing budget and delayed response time.
Clearly, it is desirable to identify the threat that occurred in real-time as soon as it happens, as well as provide the specificity about where it occurred. Furthermore, the method of arriving at this conclusion should also be provided for added benefit of understanding and quick action to address the root cause. Such actionable intelligence must reduce the skill set required to address the threat. Moreover, in a highly developed system, it must eliminate the need to engage a human, offering the intelligence just-in-time to prevent any further damage, reducing the time it takes for a corrective action or a good combination of all to minimize the operational cost while setting the organization ahead of the attacker’s plans. Inherently, such an actionable intelligence must instill confidence in the user in preventing future attacks by learning from the attack and the response behavior. The real-time actionable intelligence should not only help in quick analysis, but should also help the organization learn from the intelligence much more rapidly and thoroughly so as to develop a better defense against not-yet-seen attacks as well.. Read More